Comments for Alex Glosbandhttp://www.alexglosband.com
Wed, 02 Nov 2011 08:22:19 +0000hourly1http://wordpress.org/?v=3.4.2Comment on Disabling Session Re-Writing in BlazeDS and LCDS by The ADEP Post | Disabling Session Re-Writing in BlazeDS and LCDShttp://www.alexglosband.com/2011/04/disabling-session-re-writing-in-blazeds-and-lcds/#comment-3390
The ADEP Post | Disabling Session Re-Writing in BlazeDS and LCDSWed, 02 Nov 2011 08:22:19 +0000http://www.alexglosband.com/?p=15#comment-3390[...] - Alex Glosband [...][...] – Alex Glosband [...]
]]>Comment on Avoiding duplicate session detected errors in LCDS (and BlazeDS) by Duplication session error « Lin's Bloghttp://www.alexglosband.com/2010/03/avoiding-duplicate-session-detected-errors-in-lcds-and-blazeds/#comment-3377
Duplication session error « Lin's BlogMon, 13 Jun 2011 22:33:23 +0000http://www.alexglosband.com/?p=3#comment-3377[...] is established on the server for the first request. solution: there are two options (See details here.): a). the flex app should make the initial request and waits for its response (so a session is [...][...] is established on the server for the first request. solution: there are two options (See details here.): a). the flex app should make the initial request and waits for its response (so a session is [...]
]]>Comment on Disabling Session Re-Writing in BlazeDS and LCDS by Mike Slinnhttp://www.alexglosband.com/2011/04/disabling-session-re-writing-in-blazeds-and-lcds/#comment-3300
Mike SlinnWed, 06 Apr 2011 01:09:07 +0000http://www.alexglosband.com/?p=15#comment-3300Alex,
Thanks for the information. I have added it to our <a href="http://micronauticsresearch.com/publications/flashSec.jsp" rel="nofollow">Security White Paper for the Adobe Flash Platform</a>.
MikeAlex,

]]>Comment on Disabling Session Re-Writing in BlazeDS and LCDS by aglosbandhttp://www.alexglosband.com/2011/04/disabling-session-re-writing-in-blazeds-and-lcds/#comment-3295
aglosbandSun, 03 Apr 2011 21:54:28 +0000http://www.alexglosband.com/?p=15#comment-3295Thanks for the comments Mike. I'm aware that most app servers including Tomcat have the ability to disable URL rewriting at the app server level.
The issue here is that BlazeDS and LCDS do their own custom URL rewriting. There is currently no switch to turn this off so even if you disabled URL rewriting at the app server level, BlazeDS/LCDS could still add the session id as a header to the AMF or AMFX message and the client would then pull this out send the session id on the URL with every request.
So, even if you disable URL rewriting at the app server level I'd still recommend writing a custom channel to disable URL rewriting in BlazeDS/LCDS for high value sites.
As for the HttpOnly attribute, I think it's a good idea to use it even though not all browsers support it. I don't see any issues using it with BlazeDS/LCDS.Thanks for the comments Mike. I’m aware that most app servers including Tomcat have the ability to disable URL rewriting at the app server level.

The issue here is that BlazeDS and LCDS do their own custom URL rewriting. There is currently no switch to turn this off so even if you disabled URL rewriting at the app server level, BlazeDS/LCDS could still add the session id as a header to the AMF or AMFX message and the client would then pull this out send the session id on the URL with every request.

So, even if you disable URL rewriting at the app server level I’d still recommend writing a custom channel to disable URL rewriting in BlazeDS/LCDS for high value sites.

As for the HttpOnly attribute, I think it’s a good idea to use it even though not all browsers support it. I don’t see any issues using it with BlazeDS/LCDS.

]]>Comment on Disabling Session Re-Writing in BlazeDS and LCDS by Mike Slinnhttp://www.alexglosband.com/2011/04/disabling-session-re-writing-in-blazeds-and-lcds/#comment-3294
Mike SlinnSun, 03 Apr 2011 19:29:56 +0000http://www.alexglosband.com/?p=15#comment-3294Alex,
Thank you for your post; it is most interesting - and not boring (to me!)
The Tomcat docs (http://tomcat.apache.org/tomcat-6.0-doc/config/context.html) seem to say that setting the disableURLRewriting attribute of the Context element false perform the same purpose as CustomHTTPChannel and CustomAMPChannel. Any comment?
Also, the useHttpOnly attribute seems to provide extra security. Are you aware of any problems when using it?
MikeAlex,

Thank you for your post; it is most interesting – and not boring (to me!)

Also, the useHttpOnly attribute seems to provide extra security. Are you aware of any problems when using it?

Mike

]]>Comment on Avoiding duplicate session detected errors in LCDS (and BlazeDS) by Duplicate session errors in LCDS/BlazeDS « My Journeyhttp://www.alexglosband.com/2010/03/avoiding-duplicate-session-detected-errors-in-lcds-and-blazeds/#comment-2222
Duplicate session errors in LCDS/BlazeDS « My JourneyWed, 26 Jan 2011 21:40:44 +0000http://www.alexglosband.com/?p=3#comment-2222[...] think the best existing explanation of the error is from the following post from my co-worker Alex Glosband. In a nutshell, every SWF on the client is represented as a [...][...] think the best existing explanation of the error is from the following post from my co-worker Alex Glosband. In a nutshell, every SWF on the client is represented as a [...]
]]>Comment on Avoiding duplicate session detected errors in LCDS (and BlazeDS) by Ryan Hhttp://www.alexglosband.com/2010/03/avoiding-duplicate-session-detected-errors-in-lcds-and-blazeds/#comment-179
Ryan HThu, 10 Jun 2010 17:42:45 +0000http://www.alexglosband.com/?p=3#comment-179We were able successfully recompile BlazeDS 3.2 with session checking off, and our app is now working as it did with CF8 (or at least it seems to be working).
I have also spent a lot of time working with Adobe Support to get the issue identified as a bug, hopefully it will be addressed in a future release of BlazeDS.We were able successfully recompile BlazeDS 3.2 with session checking off, and our app is now working as it did with CF8 (or at least it seems to be working).

I have also spent a lot of time working with Adobe Support to get the issue identified as a bug, hopefully it will be addressed in a future release of BlazeDS.

]]>Comment on Avoiding duplicate session detected errors in LCDS (and BlazeDS) by flxhttp://www.alexglosband.com/2010/03/avoiding-duplicate-session-detected-errors-in-lcds-and-blazeds/#comment-141
flxFri, 28 May 2010 05:53:10 +0000http://www.alexglosband.com/?p=3#comment-141HI Alex,
I tried first approach but It does not work for me . I made generated html as jsp with page directive having session = true.
Am I missing anything ?
ThxHI Alex,
I tried first approach but It does not work for me . I made generated html as jsp with page directive having session = true.

Am I missing anything ?

Thx

]]>Comment on Avoiding duplicate session detected errors in LCDS (and BlazeDS) by Good Forexhttp://www.alexglosband.com/2010/03/avoiding-duplicate-session-detected-errors-in-lcds-and-blazeds/#comment-127
Good ForexThu, 20 May 2010 09:20:45 +0000http://www.alexglosband.com/?p=3#comment-127cool, Really good sharing this. ;-)cool, Really good sharing this.
]]>Comment on Avoiding duplicate session detected errors in LCDS (and BlazeDS) by Ryan Hhttp://www.alexglosband.com/2010/03/avoiding-duplicate-session-detected-errors-in-lcds-and-blazeds/#comment-114
Ryan HThu, 13 May 2010 16:22:20 +0000http://www.alexglosband.com/?p=3#comment-114We are trying to get to the bottom of this "duplicate HTTP-based FlexSessions" error. As we've been moving from CF8 to CF9 all of our tests worked well until we tried using a CF 9 server with two instances (with round robbin). Now our Flex app won't work at all.
With two instances, this error shows up very often, it even prevents our app from loading, anywhere from 3-5 calls seem to work, and then we will see this message.
This wasn't a problem with CF8 and LCDS Express 2.6.1, is this error new with a particular version of BlazeDS/LCDS?We are trying to get to the bottom of this “duplicate HTTP-based FlexSessions” error. As we’ve been moving from CF8 to CF9 all of our tests worked well until we tried using a CF 9 server with two instances (with round robbin). Now our Flex app won’t work at all.

With two instances, this error shows up very often, it even prevents our app from loading, anywhere from 3-5 calls seem to work, and then we will see this message.

This wasn’t a problem with CF8 and LCDS Express 2.6.1, is this error new with a particular version of BlazeDS/LCDS?